Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Google Safe Browsing (High Level)

Google Safe Browsing (High Level)

What is it? How does Firefox use it? How can you use it as a web developer?


luke crouch

January 15, 2018


  1. None
  2. • What is SafeBrowsing? • How we (Firefox) use SafeBrowsing

    • How you can use SafeBrowsing
  3. What is Safe Browsing? safebrowsing.google.com

  4. It’s a free service operated by Google • It hosts

    lists of urls • malware • other unwanted software • phishing / social engineering • It’s used by Android, Gmail, Ads, Search, Chrome, Firefox, Safari, Opera
  5. visiting malware url in Firefox

  6. visiting unwanted software url in Firefox

  7. visiting phishing url in Firefox

  8. How are urls added to the lists?

  9. phishing url

  10. submit to Safe Browsing https://safebrowsing.google.com/safebrowsing/ report_badware/?hl=en

  11. submit from Firefox Help → Report Deceptive Site

  12. submit from Firefox

  13. How many sites are in the lists?

  14. https://transparencyreport.google.com/safe-browsing/overview

  15. https://transparencyreport.google.com/safe-browsing/overview

  16. https://transparencyreport.google.com/safe-browsing/overview

  17. https://transparencyreport.google.com/safe-browsing/overview

  18. How often do people encounter these sites?

  19. https://transparencyreport.google.com/safe-browsing/overview

  20. How does use Safe Browsing?

  21. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

  22. Firefox extension 2005

  23. added to Firefox 2006

  24. Checking “live” adds too much latency to page loads •

    Firefox gets new bad urls from Google every 30m • Before displaying a page to a user, check local db
  25. The whole list is too big to download • each

    URL is canonicalized • then hashed • only the first 32 bits are kept
  26. False positives • Many urls could have the same 32-bit

    hash prefix • Get all the full hashes with the 32-bit prefix from the server • If page doesn’t match a full hash, it’s not on the list
  27. Download protection • Download the file • Check the main

    url, referrer and redirect chain against local blocklist; block if match • (Windows) if signed, check signature against allow-list of good publishers • If file is not binary, allow • If binary, send metadata to application reputation server
  28. What metadata? • filename • filesize • sha256 hash •

  29. Privacy • Browsers don't send all visited urls to Google

    • Safe Browsing data is never used anywhere else at Google • Firefox removes query string params from download check • Firefox stores Safe Browsing cookies in separate storage • Firefox adds a number of extra “noise” 32-bit hashes when requesting complete hashes
  30. How can you use it?

  31. developers.google.com/safe-browsing

  32. Need to get your site off the list? https://support.google.com/webmasters/answer/3258249?hl=en&ref_topic=4596795

  33. https://developers.google.com/safe-browsing/v4/lookup-api

  34. https://developers.google.com/safe-browsing/v4/update-api